Simple security proof of quantum key distribution via uncertainty principle 
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We present an approach to the unconditional security of quantum key distribution protocols 
based on the uncertainty principle. The approach applies to every case that has been treated via 
the argument by Shor and Preskill, and relieve them from the constraints of finding quantum error 
correcting codes. It can also treat the cases with uncharacterized apparatuses. We derive a secure 
key rate for the Bennett-Brassard- 1984 protocol with an arbitrary source characterized only by a 
single parameter representing the basis dependence. 
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The aim of quantum key distribution (QKD) is to dis- 
tribute a secret key between two distant parties, Alice 
and Bob, under the intervention by a third party, Eve. 
For any protocol of QKD, it is vital to have a proof of 
the unconditional security because the robustness against 
any kind of attack allowed by the law of physics is the 
main advantage of QKD over classical schemes aiming 
at the same task. One of the well-known strategies for 
the security proof is the argument 0] given by Shor and 
Preskill, in which a reduction to an entanglement distil- 
lation protocol (EDP) based on Calderbank-Shor-Steane 
(CSS) quantum error correcting codes (QECC) 0, El is 
used to show that the information leak on the final key 
is negligible. This approach has turned out to be quite 
versatile due to the simplicity of the idea: for example, 
the original proof for the BB84 protocol 4| has been ex- 
tended 0, Q to cover the B92 protocol | . On the other 
hand, invoking the CSS-QECC in the proof requires the 
actual users to find a quantum code satisfying a certain 
property, which is not always an easy task. Even the 
innocent-looking formula [Eq. below] for the asymp- 
totic key gain needs a complicated argument || for strict 
derivation. 

If we look back to the first proof @ of unconditional 
security by Mayers, we notice that it also has its own 
merits. One disadvantage, the complexit y of the proof, 
was recently remedied by a simple proof 10] by Koashi 
and Preskill based on the same spirit, namely, reduction 
to a two-party protocol by omitting one of the legitimate 
users by a symmetry argument. In this line of approach, 
the error correction and the privacy amplification is de- 
coupled once we encrypt the communication for the er- 
ror correction, by consuming the previously shared key. 
This implies that we do not need to find a CSS-QECC 
and we can just use conventional schemes for the error 
correction. The proof also shows a peculiar and useful 
property, which allows the use of basis-independent un- 
characterized sources or detectors. For example, if we 
use an ideal detector, the source can be anything as long 
as it does not reveal which basis is used in the BB84 pro- 



tocol. We can still use the same formula for the key rate, 
indicating that any fault in the source can be automat- 
ically caught in the form of an increase in the observed 
bit errors. Unfortunately, the argument of omitting one 
party relies heavily on the symmetry of the BB84 pro- 
tocol, and it cannot be applied to the protocols with no 
such symmetry. 

In this paper, we present an approach to the uncondi- 
tional security based on uncertainty principle. This ar- 
gument has the same advantages in the Mayers-Koashi- 
Preskill argument, while retaining the versatility of the 
Shor-Preskill argument. In fact, in any protocol having 
a proof that relies on the Shor-Preskill argument, we can 
decouple the error correction and the privacy amplifica- 
tion just by encrypting the former, thereby relieve it from 
the constraint of CSS-QECC. We can also treat unchar- 
acterized apparatuses in the protocols with lower sym- 
metry. As an example, we derive a key rate formula for 
the BB84 protocol with an arbitrary source, the proper- 
ties of which are unknown except for a bound on a single 
parameter describing the basis dependence. 

Most of the QKD protocols can be equivalently de- 
scribed by an entanglement-based protocol, in which Al- 
ice and Bob share a pair of quantum systems Ha ®Hb 
after discarding other systems used for random sampling 
tests. The state po of Ha <8> Hb at this point is not fixed 
and may be highly correlated among subsystems due to 
Eve's intervention, but the results of the tests may give a 
set of promises on the possible state. For example, in the 
case of Shor-Preskill proof, TLa <8> Hb is composed of N 
pairs of shared qubits, and there is a promise that the fol- 
lowing statements hold except for an exponentially small 
probability: Suppose that each qubit is measured on z 
or x basis. Then the number ribit of qubits showing the 
bit error (a z ® a z = —1) satisfies n^t/N < S^a, and the 
number n p h with the phase error {<J x ®a x = — 1) satisfies 
n v \x/N < <5 p h- Here <5t,it and £ p h are determined from the 
results of the test. Here we consider more general cases, 
in which the size oIHa®Hb is arbitrary. We give a proof 
for the unconditional security of the protocols having the 
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following form: 

Actual Protocol — Alice and Bob make measurements 
on Ha and on 7i#, respectively. Through an encrypted 
classical communication consuming r bits of secret key, 
they agree on an A-bit reconciled key /« roc , except for a 
negligible failure probability. In the binary vector space 
on A bits, one party chooses a linearly-independent set 
{Vk}k=i,...,N-m of A-bit sequences randomly and an- 
nounce it. The k-th bit of the final key K.g n is defined 
as scalar product n lec ■ Vfc. 

This protocol newly produces A — to bits of secret key, 
and the net secret key gain is A — r — to bits. The core 
of our approach is to choose a quantum operation A that 
converts state p on Ha®Hb to state A(p) on Hr®K® n , 
where K.® N stands for A qubits and Hr for an ancillary 
system R. Both the qubits and the ancilla are virtual, 
and there is no need to specify corresponding physical 
systems in the actual protocol. We allow A to involve 
collective operations over Ha and Hb- We only require 
the following property for A: Let us regard k icc in Actual 
Protocol as the outcome of a generalized measurement 
applied on Ha®Hb- Then, the application of A followed 
by the z-basis measurements on the A qubits should be 
equivalent to this measurement of K xec . If A is chosen in 
this way, the security of Actual Protocol follows that of 
Protocol 1 below, in which Alice and Bob can be regarded 
as a single party: 

Protocol 1 — Apply A and discard Hr. For the A 
qubits JC® N , measure each qubit on z-basis to determine 
the A-bit key k icc . Choose a linearly-independent set 
{Vk}k=i,...N—m randomly, and announce it to Eve. Let 
Krec • Vk be the fc-th bit of the final key /tg n . 

In order to show that Eve has negligible information on 
Kfi n , we consider yet another protocol. Suppose that, fol- 
lowing A, we conduct a measurement Mr on the ancilla 
R to obtain outcome p, and subsequently measure each 
of the A qubits on x basis to obtain an A-bit sequence 
X. We further choose a number £ (depending on the test 
results) such that the promise on the initial state po al- 
most guarantees that for each outcome /i, we can predict 
the value of X with A£-bit uncertainty. More precisely, 
we take the following assumption: 

Assumption — There exists a set T M of A-bit sequences 
with cardinality |T M | < 2^ for each p,, such that the pair 
of measurement outcomes (p,, X) satisfies X £ T M except 
for an exponentially small probability r\. 

Now we can invoke the uncertainty principle: Since 
the a;-basis outcomes for the A qubits can be predicted 
with A£-bit uncertainty, the complementary observable, 
namely, the z-basis outcomes, should be predicted by any 
party with at most A(l — £) uncertainty ^]|. Hence we 
expect to extract A(l — £) bits of secret key from the 
z-basis outcomes. This rough sketch can be made strict 
as follows. 

Suppose that, before the measurement of X, we 
choose to = A(£ + e) random A-bit sequences Wj(j — 



1 , . . . , to) and measure the parity X ■ Wj by a collec- 
tive projection measurement on the qubits. If we de- 
fine E U (W) = er^erfl 2 ■ ■ ■ o h v N (v = x,z) for A-bit se- 
quence W = [6162 • • • btf], the above parity measure- 
ment for X ■ Wj corresponds to the observable H x (Wj). 
Recall that we know X € except for probability 
77. As in the hushing method of EDP by know- 

ing m random parity bits we can derive an estimate 
X* of X with an exponentially small failure probability 
Pr(X* ^ X) < vj = ri + 2~ Ne . If we apply a phase-flip 
operation £ Z (_X"*) according to the estimate, the state a 
of the qubits should become almost a pure state, satis- 
fying (0f N \a\0f N ) >l-r)', where |0f N ) is the x-basis 
eigenstate for X — 0. With this property in mind, let us 
consider the following protocol: 

Protocol 2 — Apply A and make measurement Mr 
on Hr. Choose Wj(j = l,...m) randomly, and take 
an arbitrary linearly-independent set {Vk}k=i,...N-m 01 
A-bit sequences satisfying Vk ■ Wj — for any j, k. An- 
nounce {Vfc} to Eve. Measure T, x (Wj) to determine X*, 
and apply T, Z (X*). Measure {T, z (Vk)} to determine the 
(A — m)-bit final key Ks n . 

When Assumption holds with e > 0, the above final 
key is determined by z-basis measurements applied to a, 
which is very close to the x-basis pure eigenstate 10®^). 
Hence Eve has only negligible (at most S , (cr)-bit) infor- 
mation about Atfi n . 

The equivalence of the two protocols are easy to be 
seen. In Protocol 2, the operators {S z (Va;)} commute 
with S Z (X*) and with S X (W}) since Vfc • W 3 = 0. Hence 
we can omit the parity check and the phase flip and still 
obtain the same final key. We further notice that Mr is 
now redundant, and the choosing method of {Vfc} can be 
simplified to a random selection. Noting that {S z (Vfc)} 
can be also obtained through a z-basis measurement on 
each qubit, we are lead to Protocol 1. We thus obtain 
the main theorem: 

Theorem — If Assumption is true for to = A(£ + e) 
with e > 0, Eve's information on K^ n in Protocol 1 is at 
most h(r)') + Nrf with rj' = ry + 2~ Ne . 

Here we have defined h{y) = — ylogy— (1— y) log(l— y). 
The choice of A and Mr, which determines £, is crucial 
in deriving a good lower bound of the achievable secure 
key gain for various problems. We will discuss several 
examples below. 

Shor-Preskill case — In the situation to which the 
Shor-Preskill argument applies, Ha®Hb corresponds to 
A pairs of qubits. In this case, we choose K rec to be Bob's 
measurement outcome on z basis. If the promise is given 
by the two numbers <5t>it and S p h as we mentioned earlier, 
Alice can determine K Tec from her z-basis measurement 
and r = A[/i(<5 p h) +e] bits of communication from Bob in 
Actual protocol. For the security proof, we choose a triv- 
ial A that just changes the definition as Ha — Hr and 
Hb — /C® w . We assume Mr to be the x-basis measure- 
ment on Alice's A qubits. It should reveal the value of 
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X, which is Bob's outcome on x basis, within <5 p h bits of 
errors, and Assumption holds with £ = h(S p h) + e. Hence 
we arrive at the familiar asymptotic net key gain 

G = N[l-h(S hit )-h(5 ph )}. (1) 

Unlike the Shor-Preskill proof, this key rate is achieved 
without finding a CSS-QECC. 

BB84 with a basis-independent uncharacterized source 
— This is the case where Alice uses a basis-independent 
uncharacterized source and Bob uses an ideal detector 
in the BB84 protocol, which was analyzed in [ljj. Let 
p a b acting on Hq be the state of Alice's source for the 
basis a = 0, 1 and the bit value b = 0,1. Alice chooses 
basis a randomly, and then with probability p a b (note 
that p a o + Pai — 1), Alice sends out p a b to a quantum 
channel, which may be tampered by Eve. Bob receives 
a qubit state on Kb from the channel, on which he con- 
ducts the ideal z- or x-basis measurement depending on 
his random basis choice a' = 0,1, respectively. Subse- 
quently, they make a and a 1 public. After repeating this 
many times, they randomly sample events with a = a' to 
determine the observed error rates 5 a for a = 0, 1. Bob 
randomly picks N outcomes from the unsampled data 
with a = a' = to define K rcc . Alice obtains n Tec with 
the help of a secret communication from Bob consuming 
r = N[h(So) + e] bits of secret key. (The portion with 
a = a' = 1 can be handled similarly.) 

The basis-independent source satisfies po — Pi, where 
Pa = PaoPaO + Pal Pal- Then, we can find a state x on 
Hs ® T~(-Q and measurements M a on Hs with POVM el- 
ements {F a0 , F a i}, such that Tr s [(.F afc ® 1q)x] = PabPab- 
We are thus allowed to consider an equivalent protocol in 
which Alice prepares \ and conducts measurement M a 
on Hs to determine her bit value b. This new protocol 
takes the form of Actual protocol by defining Ha = Hg N 
and TLb = JC% N . For the security proof, we choose a triv- 
ial A that just changes the definition as Ha — Hr and 
Hb — K® N . We then assume Mr to be Mi applied on 
each Hs ■ In order to establish a statement like Assump- 
tion, we need to know the relation between the outcome 
of Mi and the outcome of the cc-basis measurement on 
Kb- Fortunately, this is exactly the same pair of mea- 
surements used in determining the error rate S\. Hence 
Assumption holds with £ = h(8i) + e, and we obtain the 
asymptotic net key gain 

G = N[l-h(5 )-h(S 1 )}. (2) 

Note that everything we need in the actual protocol is 
Sq and Si. There is no need to know the identities of % 
and M , and hence no need to characterize the source 
to determine p a b, as long as it is guaranteed to be basis- 
independent. 

BB84 with a basis- dependent uncharacterized source — 
The main theorem allows us to prove unconditional se- 
curity in the general case of po ^ pi- Of course, we need 



to know something about the source states since the pro- 
tocol is entirely insecure if po and pi are orthogonal. A 
natural choice is to assume that we know a single param- 
eter A, which determines a lower bound on the fidelity 
[13|,[l4( between the two states: 

1 - 2A < y/F{po, Pl ) = Tr(VpIpoVpi") 1/2 - (3) 

Note that for F < 1, we can still find two pure states \xo) 
and |xi) ihHs^Hq satisfying (xolxi) = 1— 2A such that 
for each value of a, there is a POVM measurement M a — 
{F a0 ,F al } on H s satisfying Tr s [(F afc ® lo)|xa)<Xa|] = 
PabPab- For a special case where Hs includes a qubit 
as a subsystem and Mo and Mi are the standard x- 
and z-basis measurement on that qubit, Gottesman et 
al. derived a secure key rate along the line of Shor- 
Preskill argument, which allows positive key gain up to 
A < 0.029. Here we can derive a better key rate formula 
for arbitrary states {p a b}- 

Let us consider an equivalent protocol in which Alice 
chooses the basis a by measuring a "quantum coin" 0] 
described by a qubit JCc- If she prepares Hs ® Hq ® Kc 
in state |*) = (|xo)|O z )c + |Xi)|l*)c)/V2 and measure 
Kc on z basis, the outcome a is random and Hs ® Hq is 
prepared in state \xa)- Then she conducts measurement 
M Q on Hs to prepare p a b with probability p a b- In order 
to prove security, we follow the same argument as in the 
basis-independent case up to the point where we need to 
know the relation between the outcome of Mi and that 
of x-basis measurement on Kb- Unfortunately, we have 
no direct clue this time. The expected error rate i5 p h in 
this fictitious set of measurements is no longer equal to 
5\, since the former is taken for a = and the latter is 
for a = 1. 

In order to determine upper bounds on <5 p h, let us con- 
sider the following scenario. Alice starts from 
and she immediately sends the L copies of system Q into 
the channel. After Eve's attack, Bob receives the qubits 
Kg L . For every pair of systems Hs^Kb, Bob may choose 
a' randomly, but regardless of its value, measurement 
Mi and a;-basis measurement are applied to determine 
whether there is an error (t = 1) or not (t = 0). Finally, 
Alice measures the coin Kc on z basis to determine a. 
Let us denote the empirical probability for the L events 
by r(-). For example, r(t = l\a = 0) is the number of 
events with (t = 1, a = 0) divided by that of events with 
a = 0. 

The rate i5 p h can be regarded as an error rate in a fair 
sampling from the events with a — a' = 0. Since a' has no 
effect in the above scenario, it can also be regarded as a 
fair sampling from the events with a = 0. We thus have 
<5 ph = r(t = l\a = 0). Similarly, Si = r(t = l\a = 1). 
Since r(a = 0) = 1/2, we have 

r(t = 1) = (8i+S ph )/2, r(a = l\t = 1) = 5 1 /(<*1+<W> 
r(a = 0\t = 0) £* (1 - <5 ph )/( 2 -Si- S ph ). (4) 
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Now we describe two methods of deriving a bound on 
<5 p h- The first one is to apply the main theorem for- 
mally to the coins, regarding K® L as JC® N in the theo- 
rem. Since |j c (l a .|| , I')|| 2 = A, it is guaranteed that we 
can distill a secret key of length L(l — h(A) — e) from the 
z-basis measurement results. This implies that even with 
the knowledge of each t, the entropy of the outcomes a 
should be larger than L(l — h(A) — e). Hence we have 

i 2-S 1 -S ph f l-6 ph \ / 1-jjph-jih 
+ 2 n \2- Sl -6 ph ) Stl \ 2 )> 

(5) 

which shows that 5 p h — 5% for A = and S p h becomes 
larger when A > 0. If we write the maximum of <5 p h 
under the above first inequality as /(<5i, A), the key gain 
is given by 

G = N[l - h(6o) - Mmax{l/2, f(S u A)})]. (6) 

This key gain is positive only for A < 0.056. 

The second method is more complicated, but gives a 
better rate. We assume that for each event, Alice draws 
a random binary variable s with a small probability of 
being s = 1. If s = 0, she just follows the above sce- 
nario, but if s = 1, she measures the coin fCc on x basis 
instead of z basis. Let a be the outcome of this x basis 
measurement, and define r Xj j = r(a = l\s = l,t = j) 
and r z j = r(a = 0\s = 0, t = j) for j = 0,1. Since 
|| c (l a ||*)|| 2 = A, we have 

r(t = 0)r x . Q + r(t = l)r x>1 = r(a = l\s = 1) = A. (7) 

Note that r x .j is determined from the outcomes of x- 
basis measurements applied to random samples from the 
qubits with t = j, and r z j is from the z-basis outcomes 
for the rest of the qubits. This problem of random sam- 
pling was analysed in |5J, and it was shown that for all 
e > 0, except for an exponentially small probability, there 
exists a qubit state p such that \r z j — (0 z \p\0 z } \ < e and 
\ r x,j — (lx|/o|la)| < £• We thus obtain the following rela- 
tion in the asymptotic limit: 

(l-2r ;cj ) 2 + (l-2r 2J ) 2 < 1. (8) 

Combining it with r(t = 1) = (Si + <5 p h)/2, r z> i = 
<5 P h/(<5i+(5ph), r z . (i-S ph )/(2-6i-6 ph ), and Eq. 0, 
we obtain 

2A > 1 - ^(1 - <Si)(l - 6 ph ) - V^piT- (9) 

We can now take f(5±,A) to be the maximum of 6 p h 
under Eq. ©, and obtain a better key rate with Eq. JJjJ. 
Now the region of positive key gain extends to A < 0.146, 
or F(po,pi) > 1/2. Since Alice and Bob do not use the 



outcome a, this measurement can be omitted. Hence, in 
the actual BB84 protocol, they only have to discard a 
small portion of events. From Eve's point of view, Alice 
could have measured a for the discarded events, and it is 
enough to apply the above security proof. 

We have described a method of proving the uncon- 
ditional security which unifies two major previous ap- 
proaches and retains the advantages in both of them. We 
have also shown that the new method can solve a problem 
which eluded the previous approaches. The proof relies 
on the observation that Alice can guess the z-basis out- 
comes of virtual N qubits with r-bit uncertainty in the 
actual protocol, and Alice and Bob can guess the a;-basis 
outcomes with m-bit uncertainty in a equivalent proto- 
col. The "excess" over the uncertainty limit, N — r — m, 
amounts to the key gain. Note that if they share a max- 
imally entangled state, Alice alone can guess for both of 
the bases. The condition for the secrecy is weaker than 
that since it allows her to collaborate with Bob nonlo- 
cally for the x basis. This difference is considered to 
be a reason for the gap between distillable entanglement 
and secret key gain |l6j. This suggests that the present 
method may potentially give a key rate exceeding the 
amount of distillable entanglement. 
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